Enterprise · security review

Procurement, transparently.

Five phases. 6–10 weeks typical. Most security reviews fail not because the vendor is bad but because the timeline is opaque. This page makes it transparent — phase by phase, what we deliver, what we ask for, what counts as "done."

Book an Enterprise briefing → See the audit pack structure
Five phases

What happens, when, and what's delivered.

Same shape as a typical SaaS security review. We've front-loaded the document delivery so your team can read in parallel with Phase 3 — most of the calendar time is waiting on red-line cycles, not on us.

01

Phase 1 — Initial briefing

30 min · same business day after first contact
Activities
  • Enterprise briefing call — your security team + compliance lead + our founder
  • Walkthrough of fastpace primitives mapped to your control library
  • Anonymized audit-pack walkthrough (sample customer)
  • Initial NDA exchange (mutual, standard terms)
Deliverables
  • Mutual NDA executed
  • Briefing slide deck shared
  • Sample audit pack provided under NDA
02

Phase 2 — Document review

1–2 weeks · async, light-touch
Activities
  • Your security team requests our standard security review pack (see checklist below)
  • We deliver within 48 hours of request
  • Your team reviews + flags follow-ups
  • Optional: 30-min Q&A call to walk specific concerns
Deliverables
  • SOC 2 Type II report (attestation, full report under NDA)
  • Most-recent annual penetration test executive summary (under NDA)
  • Sub-processor list + DPAs
  • Filled CAIQ + SIG-Lite questionnaires
  • Threat model (STRIDE walk against every primitive)
  • Architecture deep-dive (data flow, trust boundaries, key management)
03

Phase 3 — Architectural review

1 hour · 1 week after Phase 2
Activities
  • Your security architect + our founder, on a call
  • Walk through your specific deployment model (cloud, hybrid, air-gapped)
  • Discuss your auditor's specific framework wording (where bespoke mappings are needed)
  • Address any flags from Phase 2 document review
  • Agree on residual risks + compensating controls
Deliverables
  • Written architectural-review summary (your team's notes + our acknowledgments)
  • Bespoke compliance-mapping draft (if Enterprise tier)
  • Risk register entries for any residual concerns
04

Phase 4 — Legal + procurement

1–3 weeks · parallel with Phase 3
Activities
  • MSA + DPA red-line — your standard paper, our review and counter
  • Data-residency, retention, and sub-processor approval clauses
  • Insurance certificates exchanged
  • Renewal + termination terms
  • Your procurement team's standard onboarding (vendor risk, financial review)
Deliverables
  • Signed MSA + DPA
  • Vendor onboarding complete in your TPRM tool
  • PO issued
05

Phase 5 — Pilot deployment

2 weeks · operator-led on your side
Activities
  • Your dev / platform / security team installs fastpace in 1–3 pilot repos
  • Activation with your Enterprise license
  • Your IdP wired up for SAML envelope verification
  • First quarterly audit pack scheduled
  • Named CSM kickoff call
Deliverables
  • Pilot installs reporting to your hosted org dashboard
  • First audit-chain entries flowing
  • Slack Connect channel opened with your team
  • Onboarding plan for the broader rollout
What you can ask for

The standard security review pack.

Six sections, every artifact your security team typically asks for. Delivered within 48 hours of request. Not all sections apply to every customer (CMK / FedRAMP wording / source escrow are Enterprise-tier surfaces) — your security team decides which sections to dig into.

Cryptography & key management

  • Issuer key location, rotation cadence, escrow procedure
  • Per-install identity-keypair generation flow + storage
  • Signature algorithm + format (Ed25519, canonical-JSON envelope)
  • Audit-chain hash algorithm + tamper-evidence verification
  • Customer-managed encryption key support (Bedrock CMK / Azure CMK / GCP CMEK) for Enterprise

Identity & access

  • SAML / OIDC support (configurable IdP)
  • SCIM provisioning for the org dashboard
  • RBAC model (admin / reviewer / viewer / billing-admin)
  • API authentication (Ed25519-signed bearer tokens, no shared secrets)
  • Service-account / CI runtime guidance

Data flow & trust boundaries

  • What data leaves the developer machine (audit summaries only — no source, no prompts, no responses)
  • Sub-processors per data class
  • Region / data-residency commitments
  • Air-gap deployment story (Enterprise tier)
  • Telemetry: what we collect, what we never collect

Compliance & framework mapping

  • NIST AI RMF mapping (24 sub-controls)
  • ISO/IEC 42001 mapping (18 sub-controls)
  • EU AI Act high-risk-system mapping (Articles 9–17)
  • SOC 2 Type II mapping (CC4.1 / CC6.1 / CC7.1 / CC8.1)
  • ISO 27001 Annex A mapping (22 controls)
  • Bespoke framework wording (FedRAMP / HIPAA / FFIEC / FINRA — Enterprise tier only)

Operational maturity

  • SOC 2 Type II report (most-recent, under NDA)
  • Annual penetration test executive summary (under NDA)
  • Incident response runbook + recent incident history
  • Change-management evidence (ADRs, signed policy bundles)
  • Sub-processor change-notification cadence
  • SLA + escalation paths

Vendor risk

  • Insurance certificates (cyber + E&O)
  • Financial stability documentation
  • Continuity-of-business plan
  • Source-code escrow option (Enterprise)
  • Source-code license (ELv2 — source-available, see [LICENSE](https://github.com/fastpace-ai/fastpace/blob/main/LICENSE))
Fast tracks

When the timeline can compress.

Four conditions that turn the 6–10 week timeline into 2–4 weeks. If any of these describe you, flag it on the briefing call — we'll skip phases that don't add value for your specific situation.

You already use Drata / Vanta / Secureframe

We push directly into your existing platform. Audit pack lands in your dashboard alongside everything else. Cuts security-review time in half — your auditor already trusts the platform our evidence flows into.

You have a SOC 2 Type II of your own

Skip the architecture deep-dive — your team already understands the control language. Phase 3 condenses to a 30-minute scoped Q&A.

You have a CAIQ / SIG-Lite already filled out for similar tools

We accept your existing answers as input — you only need to flag where AI-governance specifics diverge from your last filled-out questionnaire.

You're in design-partner mode

No procurement cycle. 6-month free Enterprise in exchange for input + a closing case study. Your security review still happens but is collaborative, not adversarial.

Start the briefing call.

Same business day response. Mutual NDA at the start of the call. Sample audit pack within 24 hours after the call. Founder still reads every sales email.

Book an Enterprise briefing See pricing